{{Note|For opening and accessing an existing TrueCrypt container [[#Accessing a TrueCrypt container using cryptsetup|cryptsetup]] is the preferred way, since it is well integrated with the rest of the system. Creating a new TrueCrypt container can be done using {{ic|truecrypt}}, after which it can be opened using {{ic|cryptsetup}}.}}

[[pacman|Install]] {{Pkg|truecrypt}} from the [[official repositories]].

[[pacman|Install]] {{Pkg|truecrypt}} from the [[official repositories]].

If you use any kernel other than {{Pkg|linux}} install the corresponding kernel module.

If you use any kernel other than {{Pkg|linux}} install the corresponding kernel module.

−

If you are using truecrypt to encrypt a virtual filesystem (e.g. a file), the module will be automatically loaded whenever you run the '''truecrypt''' command. Add it to the MODULES array in /etc/rc.conf.

+

If you are using truecrypt to encrypt a virtual filesystem (e.g. a file), the module will be automatically loaded whenever you run the ''truecrypt'' command.

If you are using truecrypt to encrypt a physical device (e.g. a hard disk or usb drive), you will likely want to load the module during the boot sequence:

If you are using truecrypt to encrypt a physical device (e.g. a hard disk or usb drive), you will likely want to load the module during the boot sequence:

−

Add the module to /etc/modules-load.d/:

+

Add the module to {{ic|/etc/modules-load.d/}}:

# tee /etc/modules-load.d/truecrypt.conf <<< "truecrypt"

# tee /etc/modules-load.d/truecrypt.conf <<< "truecrypt"

−

{{Note|This didn't work for me (module truecrypt seems to be non-existent now), but adding "loop" module worked

+

{{Note|

+

* This didn't work for me (module truecrypt seems to be non-existent now), but adding "loop" module worked

# tee /etc/modules-load.d/truecrypt.conf <<< "loop"

# tee /etc/modules-load.d/truecrypt.conf <<< "loop"

# modprobe loop

# modprobe loop

+

* It does not appear that loading a module applies with TrueCrypt 7.1a, the current version in Arch as of 4/19/2013. The above advice may be outdated with respect to the module, however it is still important to enable '''FUSE''', '''loop''' and your encryption algorithm (e.g. '''AES''', '''XTS''', '''SHA512''') in custom kernels.

+

If you only want to open and access an existing truecrypt container, this can also be done with {{ic|cryptsetup}} i.e. without installing Truecrypt.

+

}}

+

+

== Accessing a TrueCrypt container using cryptsetup ==

+

+

Since version 1.6, {{Pkg|cryptsetup}} supports opening TrueCrypt containers natively, without the need of the {{Pkg|truecrypt}} package. Do do so, execute the following command:

+

$ cryptsetup --type tcrypt open container-to-mount container-name

+

+

Replace {{ic|container-to-mount}} with the device file under {{ic|/dev}} or the path to the file you wish to open. Upon successful opening, the plaintext device will appear as {{ic|/dev/mapper/container-name}}, which you can {{ic|mount}} like any normal device.

+

+

If you are using key files, supply them using the {{ic|--key-file}} option. To open a hidden volume, supply the {{ic|--tcrypt-hidden}} option.

+

+

Opening a partition that has been encrypted in system mode is done using the {{ic|--tcrypt-system}} option. Note that you will have to supply the whole device to cryptsetup in this case. For example, if your system encrypted partition is {{ic|/dev/sda2}}, you have to open it using {{ic|/dev/sda}} as the device:

Since version 206, [[systemd]] supports (auto)mounting TrueCrypt containers at boot or runtime using {{ic|/etc/crypttab}}.

+

+

The following example setup will mount {{ic|/dev/sda2}} in system encryption mode as soon as {{ic|/mnt/truecrypt-volume}} is accessed using systemd's automounting logic. The passphrase to open the volume is given in /etc/volume.password.

{{Note|It does not appear that loading a module applies with TrueCrypt 7.1a, the current version in Arch as of 4/19/2013. The above advice may be outdated with respect to the module, however it is still important to enable '''FUSE''', '''loop''' and your encryption algorithm (e.g. '''AES''', '''XTS''', '''SHA512''') in custom kernels.

+

See {{ic|man crypttab}} for more details and options supported.

−

If you only want to open and access an existing truecrypt container, this can also be done with {{ic|cryptsetup}} i.e. without installing Truecrypt.}}

+

== Encrypting a file as a virtual volume ==

== Encrypting a file as a virtual volume ==

Line 50:

Line 82:

Select [1]: 1

Select [1]: 1

−

Enter file or device path for new volume: /home/user/myEncryptedFile.tc

+

Enter file or device path for new volume: /home/user/''EncryptedFile''.tc

{{Note|Truecrypt requires root privileges and as such, running the above command as a user will attempt to use '''sudo''' for authentication. To work with files as a regular user, please see[[#Mount volumes as a normal user|Mount volumes as a normal user]].}}

{{Note|Truecrypt requires root privileges and as such, running the above command as a user will attempt to use '''sudo''' for authentication. To work with files as a regular user, please see[[#Mount volumes as a normal user|Mount volumes as a normal user]].}}

Line 100:

Line 132:

$ truecrypt -t -d

$ truecrypt -t -d

−

Again, this will require administrator privileges through the use of '''sudo'''. After running it check if the files that are to be encrypted are indeed no longer in the directory. (might want to try unimportant data first) If they are still there, note that '''rm''' doesn't make the data unrecoverable.

+

Again, this will require administrator privileges through the use of '''sudo'''. After running it check if the files that are to be encrypted are indeed no longer in the directory. (might want to try unimportant data first) If they are still there, note that ''rm'' doesn't make the data unrecoverable.

For more information about truecrypt in general, run:

For more information about truecrypt in general, run:

Line 110:

Line 142:

== Encrypting a physical volume ==

== Encrypting a physical volume ==

−

{{note|1= If you are having problems with the graphical interface, you can run in CLI mode with the -t flag.}}

+

{{Note|1= If you are having problems with the graphical interface, you can run in CLI mode with the -t flag.}}

If you want to use a keyfile, create one with this command:

If you want to use a keyfile, create one with this command:

Line 116:

Line 148:

By default both passphrase and key will be needed to unlock the volume.

By default both passphrase and key will be needed to unlock the volume.

−

Create a new volume in the device /dev/sda1:

+

Create a new volume in the device {{ic|/dev/sda1}}:

−

truecrypt --volume-type=normal -c /dev/sda1

+

# truecrypt --volume-type=normal -c /dev/sda1

−

Map the volume to /dev/mapper/truecrypt1:

+

Map the volume to {{ic|/dev/mapper/truecrypt1}}:

−

truecrypt -N 1 /dev/sda1

+

# truecrypt -N 1 /dev/sda1

If this command does not for you try this to map the volume:

If this command does not for you try this to map the volume:

−

truecrypt --filesystem=none --slot=1 /dev/sda1

+

# truecrypt --filesystem=none --slot=1 /dev/sda1

−

If you want to use another file system than ext3 simply format the disk like you normally would, except use the path /dev/mapper/truecrypt1.

+

Simply format the disk like you normally would choosing your favourite [[File Systems|file system]], except use the path {{ic|/dev/mapper/truecrypt1}}. E.g. for ext4 use:

−

mkfs.ext3 /dev/mapper/truecrypt1

+

# mkfs.ext4 /dev/mapper/truecrypt1

Mount the volume:

Mount the volume:

−

mount /dev/mapper/truecrypt1 /media/disk

+

# mount /dev/mapper/truecrypt1 /media/disk

Map and mount a volume:

Map and mount a volume:

−

truecrypt /dev/sda1 /media/disk

+

# truecrypt /dev/sda1 /media/disk

Unmount and unmap a volume:

Unmount and unmap a volume:

−

truecrypt -d /dev/sda1

+

# truecrypt -d /dev/sda1

== Creating a hidden volume ==

== Creating a hidden volume ==

−

First, create a normal outer volume as described above.

+

First, create a normal outer volume as described in [[#Encrypting a physical volume]].

−

Map the outer volume to /dev/mapper/truecrypt1:

+

Map the outer volume to {{ic|/dev/mapper/truecrypt1}}:

−

truecrypt -N 1 /dev/sda1

+

# truecrypt -N 1 /dev/sda1

Create a hidden truecrypt volume in the free space of the outer volume:

Create a hidden truecrypt volume in the free space of the outer volume:

−

truecrypt --type hidden -c /dev/sda1

+

# truecrypt --type hidden -c /dev/sda1

You need to use another passphrase and/or keyfile here than the one you used for the outer volume.

You need to use another passphrase and/or keyfile here than the one you used for the outer volume.

Unmap the outer truecrypt volume and map the hidden one:

Unmap the outer truecrypt volume and map the hidden one:

−

truecrypt -d /dev/sda1

+

# truecrypt -d /dev/sda1

−

truecrypt -N 1 /dev/sda1

+

# truecrypt -N 1 /dev/sda1

Just use the passphrase you chose for the hidden volume and TrueCrypt will automatically choose it before the outer.

Just use the passphrase you chose for the hidden volume and TrueCrypt will automatically choose it before the outer.

Create a file system on it (if you have not already) and mount it:

Create a file system on it (if you have not already) and mount it:

−

mkfs.ext3 /dev/mapper/truecrypt1

+

# mkfs.ext4 /dev/mapper/truecrypt1

−

mount /dev/mapper/truecrypt1 /media/disk

+

# mount /dev/mapper/truecrypt1 /media/disk

Map and mount the outer volume with the hidden write-protected:

Map and mount the outer volume with the hidden write-protected:

Line 162:

Line 194:

== Mount a special filesystem ==

== Mount a special filesystem ==

−

{{Box Note|Current Versions of truecrypt seem to support ntfs write support by default so the {{ic|--filesystem}} flag no longer seems to be necessary.}}

+

{{Note|Current Versions of truecrypt seem to support NTFS write support by default so the {{ic|--filesystem}} flag no longer seems to be necessary.}}

−

In my example I want to mount a ntfs-volume, but truecrypt does not use ntfs-3g by default (so there is no write access; checked in version 6.1).

+

In the following example I want to mount a ntfs-volume, but TrueCrypt does not use ''ntfs-3g by'' default (so there is no write access; checked in version 6.1).

The following command works for me:

The following command works for me:

truecrypt --filesystem=ntfs-3g --mount /file/you/want/to/mount

truecrypt --filesystem=ntfs-3g --mount /file/you/want/to/mount

Line 172:

Line 204:

== Mount volumes via fstab ==

== Mount volumes via fstab ==

−

First of all, we need to write a script which will handle the way mounting via fstab is done. Place the following in {{ic|/sbin/mount.truecrypt}}:

+

First of all, we need to write a script which will handle the way mounting via fstab is done. Place the following in {{ic|/usr/bin/mount.truecrypt}}:

to your startup procedure. Do not use the -p switch, this method is more secure. Otherwise everyone can just look up the password via ps and similar tools, as it is in the process name! [http://thoughtyblog.wordpress.com/2009/07/05/truecrypt-linux-hide-password-from-ps/ source]

+

EOF

+

}}

+

to your startup procedure. Do not use the {{ic|-p}} switch, this method is more secure. Otherwise everyone can just look up the password via ''ps'' and similar tools, as it is in the process name! [http://thoughtyblog.wordpress.com/2009/07/05/truecrypt-linux-hide-password-from-ps/ source]

The most recent truecrypt has a couple of followup questions. If you have expect installed, this will work (assuming no keyfile and no desire to protect hidden volume), saved to a file with root-only perms called from /etc/rc.local:

The most recent truecrypt has a couple of followup questions. If you have expect installed, this will work (assuming no keyfile and no desire to protect hidden volume), saved to a file with root-only perms called from /etc/rc.local:

−

#! /bin/bash

+

{{bc|<nowiki>

−

expect << EOF

+

#! /bin/bash

−

spawn /usr/bin/truecrypt /path/to/myEncryptedFile /mnt/point

+

expect << EOF

−

expect "Enter password"

+

spawn /usr/bin/truecrypt ''/path/to/EncryptedFile'' ''/mount/point''

−

send "somelonggoodpassword\n"

+

expect "Enter password"

−

expect "Enter keyfile"

+

send "volume password\n"

−

send "\n"

+

expect "Enter keyfile"

−

expect "Protect hidden volume"

+

send "\n"

−

send "\n"

+

expect "Protect hidden volume"

−

expect eof;

+

send "\n"

−

EOF

+

expect eof;

+

EOF

+

</nowiki>}}

−

Of course, this isn't as secure as entering your password manually. But for some use cases, such as when your truecrypt filesystem is in a file on shared storage, it's better than being unencrypted.

+

Of course, this isn't as secure as entering your password manually. But for some use cases, such as when your TrueCrypt filesystem is in a file on shared storage, it's better than being unencrypted.

== Safely unmount and unmap volumes (on shutdown) ==

== Safely unmount and unmap volumes (on shutdown) ==

Line 300:

Line 324:

You can unmount a specific device by

You can unmount a specific device by

−

# truecrypt -d /PATH/TO/MOUNTPOINT

+

# truecrypt -d ''/path/to/mountpoint''

or leave away the path to unmount all truecrypt volumes.

or leave away the path to unmount all truecrypt volumes.

Line 324:

Line 348:

=== Deleted stale lockfile ===

=== Deleted stale lockfile ===

−

If you always get a message "Delete stale lockfile [....]" after starting Truecrypt, the Truecrypt process with the lowest ID has to be killed during Gnome log out. A user in the Ubuntuforum provided the following solution: edit

+

If you always get a message "Delete stale lockfile [....]" after starting Truecrypt, the Truecrypt process with the lowest ID has to be killed during Gnome log out. Edit {{ic|/etc/gdm/PostSession/Default}} and add the following line before exit 0:

Similarly, FAT32 volumes created using Windows may use Unicode rather than ISO 8859-1. In order to use UTF-8, set the mount option

+

Similarly, FAT32 volumes created using Windows may use Unicode rather than ISO 8859-1. In order to use UTF-8, set the mount option:

iocharset=utf8

iocharset=utf8

when mounting such volumes, or globally as described above.

when mounting such volumes, or globally as described above.

Line 353:

Line 375:

If you always get a message "device-mapper: remove ioctl failed: Device or resource busy" when attempting to dismount your truecrypt volume, the solution is to goto: Setting > Preferences > System Integration > Kernel Service and check the box

If you always get a message "device-mapper: remove ioctl failed: Device or resource busy" when attempting to dismount your truecrypt volume, the solution is to goto: Setting > Preferences > System Integration > Kernel Service and check the box

Do not use kernel cryptographic services

Do not use kernel cryptographic services

−

{{Note|I have only seen this with a truecrypt partition. Not with a truecrypt file.}}

=== Mount error (device mapper, truecrypt partition) ===

=== Mount error (device mapper, truecrypt partition) ===

Line 369:

Line 390:

Rebooting should fix this error.

Rebooting should fix this error.

−

Otherwise, check if '''loop''' has been loaded as kernel module:

+

Otherwise, check if ''loop'' has been loaded as kernel module:

−

lsmod | grep loop

+

$ lsmod | grep loop

−

If not listed, retry the TrueCrypt command after {{ic|modprobe loop}}. Should it work, consider to add {{ic|loop}} to the modules in {{ic|/etc/modules-load.d}}:

+

If not listed, retry the TrueCrypt command after {{ic|modprobe loop}}. Should it work, consider to add ''loop'' to the modules in {{ic|/etc/modules-load.d}}:

# tee /etc/modules-load.d/truecrypt.conf <<< "loop"

# tee /etc/modules-load.d/truecrypt.conf <<< "loop"

{{Note|As of udev 181-5, the loop device module is no longer auto-loaded, and the procedure described here is necessary.}}

{{Note|As of udev 181-5, the loop device module is no longer auto-loaded, and the procedure described here is necessary.}}

+

+

+

=== System partition passwords need en_US keymap ===

+

If you are using Xorg (which you most likely are, should you not know what that is), use the following command to use US keymap until restart:

Installation

Note: For opening and accessing an existing TrueCrypt container cryptsetup is the preferred way, since it is well integrated with the rest of the system. Creating a new TrueCrypt container can be done using truecrypt, after which it can be opened using cryptsetup.

If you are using truecrypt to encrypt a virtual filesystem (e.g. a file), the module will be automatically loaded whenever you run the truecrypt command.

If you are using truecrypt to encrypt a physical device (e.g. a hard disk or usb drive), you will likely want to load the module during the boot sequence:

Add the module to /etc/modules-load.d/:

# tee /etc/modules-load.d/truecrypt.conf <<< "truecrypt"

Note:

This didn't work for me (module truecrypt seems to be non-existent now), but adding "loop" module worked

# tee /etc/modules-load.d/truecrypt.conf <<< "loop"
# modprobe loop

It does not appear that loading a module applies with TrueCrypt 7.1a, the current version in Arch as of 4/19/2013. The above advice may be outdated with respect to the module, however it is still important to enable FUSE, loop and your encryption algorithm (e.g. AES, XTS, SHA512) in custom kernels.

If you only want to open and access an existing truecrypt container, this can also be done with cryptsetup i.e. without installing Truecrypt.

Accessing a TrueCrypt container using cryptsetup

Since version 1.6, cryptsetup supports opening TrueCrypt containers natively, without the need of the truecrypt package. Do do so, execute the following command:

$ cryptsetup --type tcrypt open container-to-mount container-name

Replace container-to-mount with the device file under /dev or the path to the file you wish to open. Upon successful opening, the plaintext device will appear as /dev/mapper/container-name, which you can mount like any normal device.

If you are using key files, supply them using the --key-file option. To open a hidden volume, supply the --tcrypt-hidden option.

Opening a partition that has been encrypted in system mode is done using the --tcrypt-system option. Note that you will have to supply the whole device to cryptsetup in this case. For example, if your system encrypted partition is /dev/sda2, you have to open it using /dev/sda as the device:

Automounting using /etc/crypttab

Since version 206, systemd supports (auto)mounting TrueCrypt containers at boot or runtime using /etc/crypttab.

The following example setup will mount /dev/sda2 in system encryption mode as soon as /mnt/truecrypt-volume is accessed using systemd's automounting logic. The passphrase to open the volume is given in /etc/volume.password.

Encrypting a file as a virtual volume

The following instructions will create a file that will act as a virtual filesystem, allowing you to mount it and store files within the encrypted file. This is a convenient way to store sensitive information, such as financial data or passwords, in a single file that can be accessed from Linux, Windows, or Macs.

To create a new truecrypt file interactively, type the following in a terminal:

$ truecrypt -t -c

Follow the instructions, choosing the default values unless you know what you are doing:

Note: Truecrypt requires root privileges and as such, running the above command as a user will attempt to use sudo for authentication. To work with files as a regular user, please seeMount volumes as a normal user.

Once mounted, you can copy or create new files within the encrypted directory as if it was any normal directory. When you are you ready to re-encrypt the contents and unmount the directory, run:

$ truecrypt -t -d

Again, this will require administrator privileges through the use of sudo. After running it check if the files that are to be encrypted are indeed no longer in the directory. (might want to try unimportant data first) If they are still there, note that rm doesn't make the data unrecoverable.

For more information about truecrypt in general, run:

$ man truecrypt

Note: As of 1:7.1a-1 dont see a man or info page.

Several options can be passed at the command line, making automated access and creation a simple task. The man page is highly recommended reading.

Encrypting a physical volume

Note: If you are having problems with the graphical interface, you can run in CLI mode with the -t flag.

If you want to use a keyfile, create one with this command:

truecrypt --create-keyfile /etc/disk.key

By default both passphrase and key will be needed to unlock the volume.

Create a new volume in the device /dev/sda1:

# truecrypt --volume-type=normal -c /dev/sda1

Map the volume to /dev/mapper/truecrypt1:

# truecrypt -N 1 /dev/sda1

If this command does not for you try this to map the volume:

# truecrypt --filesystem=none --slot=1 /dev/sda1

Simply format the disk like you normally would choosing your favourite file system, except use the path /dev/mapper/truecrypt1. E.g. for ext4 use:

Automatic mount on login

to your startup procedure. Do not use the -p switch, this method is more secure. Otherwise everyone can just look up the password via ps and similar tools, as it is in the process name! source

The most recent truecrypt has a couple of followup questions. If you have expect installed, this will work (assuming no keyfile and no desire to protect hidden volume), saved to a file with root-only perms called from /etc/rc.local:

You can also leave away the sleep command, it is just to give the unmounting some time to complete before the actual shutdown.

If you're using systemd, there is a service trying to unmount truecrypt-encrypted filesystems at shutdown automatically on the systemd/Services page.

Errors

TrueCrypt is already running

If a messagebox TrueCrypt is already running appears when starting TrueCrypt, check for a hidden file in the home directory of the concerned user called .TrueCrypt-lock-username. Substitute username with the individual username. Delete the file and start TrueCrypt again.

Deleted stale lockfile

If you always get a message "Delete stale lockfile [....]" after starting Truecrypt, the Truecrypt process with the lowest ID has to be killed during Gnome log out. Edit /etc/gdm/PostSession/Default and add the following line before exit 0:

kill $(ps -ef | grep truecrypt | tr -s ' ' | cut -d ' ' -f 2)

Issues with Unicode file/folder names

NTFS

Should files resp. folders containing Unicode characters in their names be incorrectly or not at all displayed on TrueCrypt NTFS volumes (while e. g. being correctly handled on non-encrypted NTFS partitions), first verify that you have the NTFS-3G driver installed and then create the following symlink as root:

ln -s /sbin/mount.ntfs-3g /sbin/mount.ntfs

That will cause TrueCrypt to automatically use this driver for NTFS volumes, having the same effect as the explicit use of

FAT

Similarly, FAT32 volumes created using Windows may use Unicode rather than ISO 8859-1. In order to use UTF-8, set the mount option:

iocharset=utf8

when mounting such volumes, or globally as described above.

Unmount error (device mapper)

If you always get a message "device-mapper: remove ioctl failed: Device or resource busy" when attempting to dismount your truecrypt volume, the solution is to goto: Setting > Preferences > System Integration > Kernel Service and check the box

Do not use kernel cryptographic services

Mount error (device mapper, truecrypt partition)

When attempting to mount your truecrypt volume, a message like this one may appear:

Failed to set up a loop device

If you get a message "Failed to set up a loop device" when trying to create/mount a TrueCrypt volume, it may be because you updated your kernel recently without rebooting.
Rebooting should fix this error.

Otherwise, check if loop has been loaded as kernel module:

$ lsmod | grep loop

If not listed, retry the TrueCrypt command after modprobe loop. Should it work, consider to add loop to the modules in /etc/modules-load.d:

# tee /etc/modules-load.d/truecrypt.conf <<< "loop"

Note: As of udev 181-5, the loop device module is no longer auto-loaded, and the procedure described here is necessary.

System partition passwords need en_US keymap

If you are using Xorg (which you most likely are, should you not know what that is), use the following command to use US keymap until restart: